I constantly am asked by network administrators how to block two of the most commonly used applications:
Instant-messaging (IM) applications, such as AOL IM, ICQ, MSN Messenger, and others.
File-sharing applications, such as Kazaa, Napster, and eDonkey.
This section focuses on filtering these two services.
Bandwidth PigsI was consulting with a client not too long ago that was having bandwidth problems on its T3. The company could not understand why, at times, its Internet connection was sluggish. After we put a protocol analyzer on the wire, we were shocked to find out that an average of 50 percent of the traffic was related to IM and file-sharing applications. Employees enjoyed using IM to keep in touch with their friends and family; however, some of these included audio and video functions that used up a lot of bandwidth. In addition, many employees were using file-sharing programs such as Kazaa, sharing large files such as music CDs, which is illegal. It took a while to prevent this by enforcing new policies and penalties, as well as using filtering solutions. |
Before I say anything about IM or file sharing, I want to make it absolutely clear that filtering these applications is not a simple process. Many of these applications are located on many different servers on which a different IP address is returned when a DNS query is performed. Discovering these IP addresses is not easy, and the sponsor of the IM or file-sharing application tends to change these quite often. Second, if you miss an IP address, there is a chance that the client software still can connect. You can attempt to filter port numbers, but many of these applications use a range of port numbers. In addition, if a client cannot connect to any of them, sometimes they use a common port number, such as 80 (HTTP).
Therefore, even though I show you how to use ACLs to filter this traffic, it will not be an easy task. You also will have to update your ACLs constantly to reflect changes by the IM and file-sharing sponsors. Here are the things I recommend doing to prevent these programs from running rampant over your network:
Develop a policy prohibiting their use.
Use ACLs to detect and filter them.
Set up DNS to black-hole these applications.
Use NBAR to filter them (I discuss using NBAR to filter unwanted traffic in Chapters 10 and 17).
Use an IDS to detect their usage.
The first thing you should do to prevent this traffic is to define a policy that prohibits it, outlining punishments. This kind of software easily can eat up a lot of the bandwidth of your Internet connection, preventing valid applications from functioning correctly.
The second thing you will want to do is filter this traffic. There are two approaches to this. The less preferred method is to use a packet filter to filter the traffic. As I mentioned at the beginning of this section, this might be very difficult, if not impossible. I use this solution if my second solution is not possible. At least with ACLs, if you are blocking the first method of access that the IM or file sharing product is using, at least it will register a match on the ACL statement. This tells you that someone in your network is trying to use these banned products.
TIP
My preferred method of filtering these programs is to use DNS to spoof the responses. If your clients are using your DNS server to resolve the names, configure your DNS server to not forward the resolution request to the Internet to be resolved, but instead resolve it yourself. In this situation, return the address of 127.0.0.1 to the user's request. This prevents all of these applications. Of course, you must know the DNS names that the clients are trying to resolve. For each name, create a zone and assign the name to the zone, associating one A record with an IP address of 127.0.0.1. For some applications that have hundreds of servers, this might be a difficult task.
IM products are an enhanced version of IRC. They allow the real-time exchange of messages, information, audio, video, and other information. They are actually pretty cool, but they are bandwidth pigs. Unchecked, they can create congestion problems in your network. My personal view of these products is that if you want to use them, use them at home. Your company is not paying employees to chat all day long with their friends at other locations through the IM, nor is it paying them to download live feeds of music, stock feeds, and sports updates. Even though these seem like innocent fun, they can create serious bandwidth problems if their use goes unchecked.
The first new-generation IM program was AOL Instant Messenger (AIM). If you will be using DNS filtering, redirect the following name to 127.0.0.1: login.oscar.aol.com.
For an ACL filter, configure the outbound filter in Example 7-40.
Router(config)# ip access-list extended aol-messenger Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny udp any any eq 5190 Router(config-ext-nacl)# deny tcp any any eq 5190 Router(config-ext-nacl)# deny tcp any any eq 4443 Router(config-ext-nacl)# deny ip any host 64.12.161.153 Router(config-ext-nacl)# deny ip any host 64.12.161.185 Router(config-ext-nacl)# deny ip any host 64.12.200.89 Router(config-ext-nacl)# deny ip any host 205.188.153.249 Router(config-ext-nacl)# deny ip any host 205.188.179.233 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group aol-messenger out
Notice that I am filtering only outbound traffic in this example. This is because you want to prevent your users from accessing the IM servers at the vendor's location.
TIP
I prefer to create deny statements for the filtering even if the implicit deny will drop these packets: At least I will be seeing matches on these records if someone is breaking the company policy. If this occurs, I can enable logging on the ACL statement to get the source IP address of the user and remind that person of the security policy regarding network usage.
CAUTION
All the IP addresses that I mention for filtering IM applications are subject to change by the vendor at any point in time. Therefore, make sure that you periodically use a program such as aDig to look up the IP address of the vendor's name server, and then do another lookup for the name, such as login.oscar.aol.com, to get all of the IP addresses that you should be filtering. To download aDig, visit http://www.nscan.org/index.cgi?index=dns.
ICQ previously was be owned by Mirabilis, but it was bought out by AOL. Most ICQ clients connect to login.oscar.aol.com, which is AIM's login. Therefore, the filter that I specified in the last section should catch most of your ICQ rule-breakers. However, for the other ICQ users, you need a different configuration. If you are using DNS filtering, set up login.icq.com and http.proxy.icq.com to resolve to 127.0.0.1.
For an ACL filter, configure the outbound filter in Example 7-41.
Router(config)# ip access-list extended ICQ Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny udp any any eq 5190 Router(config-ext-nacl)# deny tcp any any eq 5190 Router(config-ext-nacl)# deny tcp any any eq 4001 Router(config-ext-nacl)# deny udp any any range 4000 4001 Router(config-ext-nacl)# deny tcp any any eq 3474 Router(config-ext-nacl)# deny tcp any any eq 7320 Router(config-ext-nacl)# deny ip any host 64.12.161.153 Router(config-ext-nacl)# deny ip any host 64.12.161.185 Router(config-ext-nacl)# deny ip any host 64.12.200.89 Router(config-ext-nacl)# deny ip any host 64.12.163.130 Router(config-ext-nacl)# deny ip any host 64.12.163.132 Router(config-ext-nacl)# deny ip any host 64.12.163.134 Router(config-ext-nacl)# deny ip any host 64.12.163.136 Router(config-ext-nacl)# deny ip any host 64.12.162.57 Router(config-ext-nacl)# deny ip any host 205.188.153.249 Router(config-ext-nacl)# deny ip any host 205.188.179.233 Router(config-ext-nacl)# deny ip any host 205.188.213.228 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group ICQ out
In this filter, you might want to try filtering 64.12.162.0/24 and 64.12.163.0/24, and see what happens. I have seen these addresses change now and then, so denying all of these addresses might fix the problem. Just be careful that you do not block a valid address, such as a DNS, e-mail, or web server, with the filter.
Microsoft introduced an IM product late in the game. Just recently, Microsoft stated that it is discontinuing its MSN Messenger product outside the United States because of liability and legal reasons: It has been having problems with people breaking the law, such as sharing child pornography, and had issues with validating the identity of their users committing these crimes. Basically, you must have, at a minimum, only a Hotmail e-mail account to use MSN Messenger. To use DNS to black-hole access to MSN Messenger, set up DNS A records to redirect traffic for messenger.hotmail.com and gateway.messenger.hotmail.com to 127.0.0.1.
For an ACL filter, configure the outbound filter in Example 7-42.
Router(config)# ip access-list extended MSN-messenger Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 1503 Router(config-ext-nacl)# deny tcp any any eq 1863 Router(config-ext-nacl)# deny tcp any any eq 6891 Router(config-ext-nacl)# deny udp any any eq 1863 Router(config-ext-nacl)# deny udp any any range 13324 13325 Router(config-ext-nacl)# deny tcp any any eq 569 Router(config-ext-nacl)# deny udp any any eq 569 Router(config-ext-nacl)# deny ip any 64.4.13.0 0.0.0.255 Router(config-ext-nacl)# deny ip any host 207.46.104.20 Router(config-ext-nacl)# deny ip any 207.46.96.0 0.0.0.255 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group MSN-messenger out
In the shaded line in this example, you need to filter addresses from only 170 to 190; however, in this example, I filtered the entire subnet.
Yahoo! Messenger is not as popular as the other products that I have discussed so far. However, out of all of the IM products, it is the most difficult to block. I have seen it run on all kinds of ports, including 80 (HTTP) and even 23 (Telnet). Your best approach is to black-hole DNS queries. Here is a list of names that you should redirect to 127.0.0.1:
cs.yahoo.com
scs.msg.yahoo.com
scsa.msg.yahoo.com
scsb.msg.yahoo.com
scsc.msg.yahoo.com
scs-fooa.yahoo.com
msg.edit.yahoo.com
messenger.yahoo.com
msg.yahoo.com
http.msg.yahoo.com
http.pager.yahoo.com
msg1.edit.vip.sc5.yahoo.com
webcam.yahoo.com
wc1.vip.sc5.yahoo.com
filetransfer.msg.yahoo.com
filetrans1.msg.vip.sc5.yahoo.com
vc1.vc.scd.yahoo.com
vc2.vc.scd.yahoo.com
vc3.vc.scd.yahoo.com
vc4.vc.scd.yahoo.com
vc5.vc.scd.yahoo.com
vc6.vc.scd.yahoo.com
vc7.vc.scd.yahoo.com
vc8.vc.scd.yahoo.com
vc9.vc.scd.yahoo.com
vc10.vc.scd.yahoo.com
vc11.vc.scd.yahoo.com
vc12.vc.scd.yahoo.com
vc13.vc.scd.yahoo.com
vc1.vip.scd.yahoo.com
As you can see from this list, your DNS work is cut out for you.
For an ACL filter, configure the outbound filter in Example 7-43.
Router(config)# ip access-list extended Yahoo Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 5050 Router(config-ext-nacl)# deny udp any any range 5100 5101 Router(config-ext-nacl)# deny tcp any any range 5100 5101 Router(config-ext-nacl)# deny udp any any range 5050 Router(config-ext-nacl)# deny udp any any range 5000 5010 Router(config-ext-nacl)# deny tcp any any range 5000 5010 Router(config-ext-nacl)# deny tcp any any range 8000 8001 Router(config-ext-nacl)# deny udp any any range 8000 8001 Router(config-ext-nacl)# deny ip any host 64.58.76.37 Router(config-ext-nacl)# deny ip any 66.163.169.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 66.163.172.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 66.163.174.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 66.218.70.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 216.109.116.176 0.0.0.1 Router(config-ext-nacl)# deny ip any host 216.136.128.128 Router(config-ext-nacl)# deny ip any 216.136.172.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 216.136.173.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 216.136.175.0 0.0.0.255 Router(config-ext-nacl)# deny ip any host 216.136.225.238 Router(config-ext-nacl)# deny ip any host 216.136.232.153 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group Yahoo out
For the 66.163.169.0/24 subnet, I know that 143, 148, 149, 150, 212, and 213 are used, but I filtered the entire subnet. For the 66.163.172.0/24 subnet, I know that 51, 80 to 83, 93, 94, 99, and 100 are being used. For the 66.163.174.0/24 subnet, I know that 46 to 49, 77 to 82, 111 to 115, and 117 to 126 are being used. For the 66.218.70.0/24 subnet, I know that 32 to 46 are being used. For the 216.109.116.0 network, only 176 and 177 are used. For the 216.136.172.0 network, I know that 222, 223, 225, and 226 are being used. For the 216.136.173.0 network, 16, 141, 142, and 183 to 186 are being used. For the 216.136.175.0 network, 143 to 145 are being used.
As you can see from the ACL in Example 7-43, filtering Yahoo! Messenger is not simple. Actually, I would like to talk to the designers of this network design?it is a mess.
With the introduction of the Apple Mac OS X Rendezvous, the Apple iChat program is becoming more popular. It has built-in text chat, audio, video, and file-sharing capabilities. Filtering this is much easier than filtering the others that I have discussed. Example 7-44 shows the ACL to filter this traffic.
Router(config)# ip access-list extended iChat Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 5298 Router(config-ext-nacl)# deny udp any any eq 5298 Router(config-ext-nacl)# deny udp any any eq 5353 Router(config-ext-nacl)# deny udp any any eq 5060 Router(config-ext-nacl)# deny udp any any range 16384 16403 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group iChat out
File-sharing programs, commonly called peer-to-peer (P2P) programs, allow people to share files easily: They are the next generation of FTP. Many of these services are legitimate, allowing users to share resources that provide benefits. However, many of these services allow users to trade illegal items, such as copyrighted books and music, certain kinds of pornography, software and games, and many other items. However, some users still want to install and use these programs on their desktops.
It is bad enough that a user wants to set up a client and download large files, eating up your bandwidth. It is much worse when someone gets set up as a server and lets hundreds of people download content to and from the desktop. In university environments, P2P programs have created a huge bandwidth problem. Normally, universities are fairly open in the use of the Internet, but many of them are creating and enforcing policies to reduce the congestion that these programs have on their network. Some even have developed ingenious solutions to dynamically bar users from network access if they break university policies regarding the use of these programs. In a university environment, it is not unusual to see 50 to 60 percent of Internet traffic related to P2P file sharing; I can understand why universities are taking a hard stance on the use of P2P programs.
Many of the files shared are very large in P2P environments, so many companies have policies prohibiting users from using P2P programs. You can use four basic solutions to help prevent the use of P2P programs in your network:
Create policies prohibiting the use of P2P programs.
Use an IDS solution to detect P2P programs.
Use a content-filtering solution to catch P2P programs that use port 80 (they try to hide their downloads in a web connection). I discuss content filtering in Chapter 10.
Use ACLs to filter P2P traffic.
To do this correctly, you first need to ensure that your company implements a policy to ban the use of P2P programs: Your company's policy should have an acceptable use clause, in which P2P programs do not fall under this clause. Of the last three bullets, you typically use a combination of two or three of these to detect and prevent the use of P2P programs.
One main issue of P2P programs is that they are very dynamic in accessing P2P servers and downloading content, so detecting and preventing them is difficult (sort of like the filtering example to prevent Yahoo! Messenger). My main concern when dealing with P2P programs is not to prevent them completely; this is probably impossible. My main goal is to detect their usage and confront the person or people using them, and to enforce the penalties, if necessary, in the company's policies. Therefore, the ACLs that I am using detect and prevent most P2P program usage. You definitely will want to keep track of ACL matches on these statements to catch rule-breakers in your company.
CAUTION
Some P2P applications use ports 80 and 23 (Telnet) to run the server software. Therefore, in many instances, it might be impossible to stop the traffic. However, in most instances, the client software typically uses the well-known port number when connecting to the server. If this access is denied, these programs typically try other configured ports (such as 80 or 23, if the client software supports these). If you see a lot of deny statement matches on P2P ACL statements and a big increase of traffic on other port numbers, one or more people in your network are using P2P programs.
Also, some people use proxy programs, such as SOCKS, to connect to an external server, assuming that the server permits proxy connections for various applications, such as P2P. Unless you use an IDS solution, catching this kind of behavior is very difficult.
The most well known of the P2P programs is Napster. It gained its fame when the music industry sued because its customer base was illegally sharing music content without users paying for it. Because of the lawsuit, Napster closed it doors and then reopened as a pay site. Therefore, you do not need to be as concerned with this P2P program, compared to others I talk about in subsequent sections.
To block Napster traffic, you need to filter certain ports and IP addresses. Example 7-45 displays an example of a filter to prevent Napster traffic.
Router(config)# ip access-list extended napster-in Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 6699 Router(config-ext-nacl)# deny tcp any any eq 6257 Router(config-ext-nacl)# deny udp any any eq 6699 Router(config-ext-nacl)# deny udp any any eq 6257 Router(config-ext-nacl)# deny tcp any any range 8875 8890 Router(config-ext-nacl)# deny tcp any any eq 1911 Router(config-ext-nacl)# deny tcp any any eq 2222 Router(config-ext-nacl)# deny tcp any any eq 3456 Router(config-ext-nacl)# deny tcp any any eq 4444 Router(config-ext-nacl)# deny tcp any any eq 5555 Router(config-ext-nacl)# deny tcp any any eq 56789 Router(config-ext-nacl)# deny tcp any any eq 6666 Router(config-ext-nacl)# deny tcp any any eq 7777 Router(config-ext-nacl)# deny tcp any any eq 9999 Router(config-ext-nacl)# deny tcp any any eq 35000 Router(config-ext-nacl)# deny tcp any any eq 44444 Router(config-ext-nacl)# deny tcp any any eq 56789 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# ip access-list extended napster-out Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 6699 Router(config-ext-nacl)# deny tcp any any eq 6257 Router(config-ext-nacl)# deny udp any any eq 6699 Router(config-ext-nacl)# deny udp any any eq 6257 Router(config-ext-nacl)# deny tcp any any range 8875 8890 Router(config-ext-nacl)# deny tcp any any eq 1911 Router(config-ext-nacl)# deny tcp any any eq 2222 Router(config-ext-nacl)# deny tcp any any eq 3456 Router(config-ext-nacl)# deny tcp any any eq 4444 Router(config-ext-nacl)# deny tcp any any eq 5555 Router(config-ext-nacl)# deny tcp any any eq 56789 Router(config-ext-nacl)# deny tcp any any eq 6666 Router(config-ext-nacl)# deny tcp any any eq 7777 Router(config-ext-nacl)# deny tcp any any eq 9999 Router(config-ext-nacl)# deny tcp any any eq 35000 Router(config-ext-nacl)# deny tcp any any eq 44444 Router(config-ext-nacl)# deny tcp any any eq 56789 Router(config-ext-nacl)# deny ip any 208.184.216.222 0.0.0.1 Router(config-ext-nacl)# deny ip any host 208.178.163.61 Router(config-ext-nacl)# deny ip any 208.178.175.128 0.0.0.7 Router(config-ext-nacl)# deny ip any 208.184.216.192 0.0.0.31 Router(config-ext-nacl)# deny ip any 208.49.239.240 0.0.0.15 Router(config-ext-nacl)# deny ip any 64.124.41.0 0.0.0.255 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group napster-in in Router(config-if)# ip access-group napster-out out
Notice that in this example I have two ACLs. The first one is used to filter Napster traffic coming into the network, just in case a user has set himself up as a server. The second one is used to filter the Napster client from connecting to a server. I put in the known IP addresses of Napster servers in this list, but it is subject to change at any given time.
TIP
The most important thing to include in these filters is the port numbers that I have listed. Because your first concern is detecting the Napster use, you might want to exclude the Napster servers that I have listed. The filter will keep track of the number of matches if you have users attempting to use Napster.
The ACL in Example 7-45 filters "official" Napster traffic. However, additional rogue napster servers are known to exist on the Internet. Users can download a product called Napigator that will allow them to access either set of servers. The up-to-date list of these servers is kept at http://www.napigator.com/serverlist. The last time I checked, more than 100 Napigator servers were listed. The main problem with this list is that many of the addresses I checked did not have the Napster software installed on them; furthermore, this list changes on a weekly basis. With the ACL I configured, I have included the port numbers that these servers use; you should not have to worry about filtering these addresses unless you find a specific Napster problem in your network that is related to one of these servers.
Kazaa and Morpheus are second-generation Napster applications. As with Napster, they allow the use of P2P to share files between people. Because of the legal issues Napster faced, Kazaa has become one of the most popular file-sharing programs on the Internet. Blocking these P2P applications is actually more difficult than blocking Napster. For example, when a Kazaa client accesses a Morpheus server, it first tries TCP 1214 (sometimes UDP). If this is blocked, it tries ports from 1000 to 4000. If these are blocked, it tries port 80. Therefore, because you will want your users to access port 80, it seems that blocking this P2P traffic is impossible. However, your main goal here is to detect that your users are using this application. When you know that one of your users is trying use the Kazaa, you can take the appropriate action detailed in your company's policies. Example 7-46 shows how set up an ACL to filter Kazaa traffic.
Router(config)# ip access-list extended kazaa-in Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 1214 Router(config-ext-nacl)# deny udp any any eq 1214 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# ip access-list extended kazaa-out Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 1214 Router(config-ext-nacl)# deny udp any any eq 1214 Router(config-ext-nacl)# deny ip any 213.248.112.0 0.0.0.255 Router(config-ext-nacl)# deny ip any host 24.73.55.18 Router(config-ext-nacl)# deny ip any host 24.103.112.18 Router(config-ext-nacl)# deny ip any host 65.92.89.216 Router(config-ext-nacl)# deny ip any host 68.5.8.4 Router(config-ext-nacl)# deny ip any host 68.65.238.48 Router(config-ext-nacl)# deny ip any host 68.67.210.20 Router(config-ext-nacl)# deny ip any host 68.81.141.205 Router(config-ext-nacl)# deny ip any host 68.97.116.232 Router(config-ext-nacl)# deny ip any host 68.98.62.2 Router(config-ext-nacl)# deny ip any host 68.102.79.211 Router(config-ext-nacl)# deny ip any host 205.150.0.55 Router(config-ext-nacl)# deny ip any host 205.180.85.40 Router(config-ext-nacl)# deny ip any host 205.206.22.50 Router(config-ext-nacl)# deny ip any host 206.29.192.80 Router(config-ext-nacl)# deny ip any host 206.142.53.17 Router(config-ext-nacl)# deny ip any host 206.142.53.19 Router(config-ext-nacl)# deny ip any host 206.142.53.21 Router(config-ext-nacl)# deny ip any host 208.185.90.205 Router(config-ext-nacl)# deny ip any host 209.225.0.6 Router(config-ext-nacl)# deny ip any host 213.248.112.35 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group kazaa-in in Router(config-if)# ip access-group kazaa-out out
Notice that in Example 7-46, I have two ACLs. The first one is used to filter Kazaa traffic coming into the network, just in case a user has set himself up as a server. The second one is used to filter the Kazaa client from connecting to a Morpheus server. I put in the known IP addresses of Morpheus servers in this list, but it is subject to change at any given time. The most important thing to include in these filters is the port numbers that I have listed. Because your first concern is detecting Kazaa usage, you might want to exclude the Morpheus servers that I have listed. The filter will keep track of the number of matches if you have users attempting to use Kazaa/Morpheus.
Gnutella is another P2P file-sharing application. Many client programs are based on the Gnutella technology, including Bearshare, LimeWare, Gnucleus, ToadNode, and others. As with Kazaa, Gnutella can use many different port numbers to make its connection, making it difficult to filter. Even if you filter its main port, TCP 6346, it can use other ports, such as 80 and 21 (FTP). Again, the main concern is detecting this traffic. Example 7-47 shows an ACL configuration that greatly restricts these kinds of connections.
Router(config)# ip access-list extended gnutella Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 6346 Router(config-ext-nacl)# deny tcp any any range 6345-6349 Router(config-ext-nacl)# deny udp any any range 6345-6349 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group gnutella in Router(config-if)# ip access-group gnutella out
Most Gnutella clients connect through TCP 6346; however, some have been know to use either TCP or UDP and port numbers from 6345 to 6349. Therefore, I have included statements for these. Even though the first deny statement is not necessary, I typically put it in so that I can see the number of matches on people who use the more popular Gnutella programs versus the less popular ones. If I see an increase in the less popular ones, I begin investigating further to see if the ACL that I have created is catching this traffic, especially if it is a new program.
Like the other programs discussed so far, IMesh is a P2P program. Unlike the others, it has a neat user feature: When a user selects a file to download, the IMesh server searches the list of available sources and tells the client the source that has the fastest download access at that time. In addition, if the download is interrupted, the user can resume the download process for the same file from a different server. This is great if you have only modem access and you get disconnected constantly.
IMesh is difficult to filter, especially because it can try many ports when attempting to connect. IMesh licensed the P2P technology from Kazaa, making the ACL filter similar, as displayed in Example 7-48.
Router(config)# ip access-list extended IMesh-in Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 1214 Router(config-ext-nacl)# deny udp any any eq 1214 Router(config-ext-nacl)# deny icmp 216.35.208.0 0.0.0.255 any Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# ip access-list extended IMesh-out Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 1214 Router(config-ext-nacl)# deny udp any any eq 1214 Router(config-ext-nacl)# deny icmp any 216.35.208.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 216.35.208.0 0.0.0.255 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group IMesh-in in Router(config-if)# ip access-group IMesh-out out
The first ACL drops inbound traffic to an internal IMesh server if a rogue one has been set up. All IMesh servers that I know of are located in 216.35.208.0/24. Notice that the only deny statement in the inbound ACL drops any ICMP traffic from these servers. One interesting tidbit about IMesh is that the servers periodically send ICMP messages to see if the clients are connected. By putting this deny statement here, you are capturing matches while a client is connected (you might want to log this information). The outbound ACL drops traffic sent to the IMesh servers. I also put in a filter, just in case the client initiates the ping process (I have never seen this personally, but it might happen, based on the experience of other network administrators). Note that IMesh is smart and allows clients to connect on different ports if 1214 is filtered.
WinMX is another Napster-type clone. However, it has included some additional functionality, similar to that of Gnutella. Filtering it also is difficult, but the ACL in Example 7-49 should prevent most, if not all, downloads through WinMX clients.
Router(config)# ip access-list extended winmx-in Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 6699 Router(config-ext-nacl)# deny tcp any any eq 6257 Router(config-ext-nacl)# deny udp any any eq 6699 Router(config-ext-nacl)# deny udp any any eq 6257 Router(config-ext-nacl)# deny ip 64.49.201.0 0.0.0.255 any Router(config-ext-nacl)# deny ip 209.61.186.0 0.0.0.255 any Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# ip access-list extended winmx-out Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any eq 6699 Router(config-ext-nacl)# deny tcp any any eq 6257 Router(config-ext-nacl)# deny udp any any eq 6699 Router(config-ext-nacl)# deny udp any any eq 6257 Router(config-ext-nacl)# deny ip any 64.49.201.0 0.0.0.255 Router(config-ext-nacl)# deny ip any 209.61.186.0 0.0.0.255 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group winmx-in in Router(config-if)# ip access-group winmx-out out
Notice that in this example, I am blocking the two common ports that Napster uses because WinMX uses them also. However, this is no guarantee that WinMX connections will fail. Typically, the client uses other ports to connect. I also have included in my two ACLs the networks where the WinMX servers are located, hopefully shutting the door on any WinMX file sharing.
AudioGalaxy is used to share audio files, such as music. When the client attempts to make a connection, it typically searches for higher ports (41,000 through 42,000) on the AudioGalaxy server. Filtering these ports can be an issue, especially because these might be valid source ports from Internet users accessing your internal resources. Therefore, you might not want to filter these ports, but minimally put a permit statement in your ACL to keep track on the number of hits on the statement. On top of this issue, AudioGalaxy uses FTP to transfer the files. If you have an internal FTP server or you want your internal users to access external FTP servers, you cannot block FTP access. Therefore, the best solution to prevent this problem is to filter traffic to and from the AudioGalaxy network, as displayed in Example 7-50.
Router(config)# ip access-list extended audiogalaxy-in Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny ip 64.245.58.0 0.0.1.255 any Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# ip access-list extended audiogalaxy-out Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny ip any 64.245.58.0 0.0.1.255 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group audiogalaxy-in in Router(config-if)# ip access-group audiogalaxy-out out
Notice that I did not block the port ranges from 41,000 to 42,000; I have done this in the past but have experienced problems with Internet users accessing internal resources with source port numbers in this range, thereby denying them service. Therefore, I filter only on the network where AudioGalaxy operates. Notice the 0.0.1.255 wildcard mask that I used: This is correct. I actually am matching on 64.245.58.0 and 64.245.59.0.
Unlike the other P2P programs that I have discussed so far, eDonkey2000 is a noncommercial package used by people who want to set up their own P2P service or network. It is not a simple matter to filter traffic going to a specific destination, especially because you do not know what the destinations are. To see a list of active eDonkey2000 sites, visit http://ocbmaurice.dyndns.org/pl/slist.pl.
eDonkey2000 uses three types of connections:
TCP 4661 is used by the client to connect to the server. (I also have seen 4242 and 4243.)
TCP 4662 is used by the client to connect to other clients.
UDP 4665 is used by the client to send messages to servers that the client currently is not connected to.
The ACL in Example 7-51 prevents client eDonkey2000 traffic from leaving and entering your network.
Router(config)# ip access-list extended edonkey Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# deny tcp any any range 4661 4662 Router(config-ext-nacl)# deny tcp any any range 4242 4243 Router(config-ext-nacl)# deny udp any any eq 4665 Router(config-ext-nacl)# remark <permit or deny other traffic> Router(config-ext-nacl)# remark <put these statements here> Router(config-ext-nacl)# exit Router(config)# interface ethernet1 Router(config-if)# ip access-group edonkey in Router(config-if)# ip access-group edonkey out
TIP
If you really are concerned about P2P software, there are much better detection systems out there than using ACLs on a router. Many of these systems are sort of a hybrid IDS, enabling you to track P2P usage, the amount of bandwidth used, how much connect time is involved, what files are being downloaded, and so on. If want a detailed record of these kinds of transactions, I recommend buying one of these products. The solutions that I discussed in this section are a quick-and-dirty fix: They identify users who are using these programs, which enables you to deal with the problem directly with these people. I have never worked with any of these products personally, but a few of my customers have used them with success: AssetMetrix (http://www.assetmetrix.com/solutions/p2p/) and Packeteer (http://www.packeteer.com/).